arp_ignore is configured to 1 to prevent the server from responding to VIP requests, so what is the purpose of arp_announce being configured to 2? ? ?
@时光是个冷美人2017-12-26 15:46:18
Related introduction to arp_ignore:
arp_ignore: Define different response modes for ARP queries whose target address is the local IP 0
0 - ( Default value): Respond to ARP query requests for any local IP address on any network interface
1 - Only respond to ARP query requests whose target IP address is the local address of the visiting network interface
2 - Only Answer the ARP query request whose target IP address is the local address of the visiting network interface, and the visiting IP must be within the subnet segment of the network interface
3 - Do not respond to the ARP request of the network interface, but only to the set Respond only to the connection address
4-7 - Reserved and unused
8 - Do not respond to all (local address) arp queries
Related introduction to arp_announce:
arp_announce: Make corresponding level restrictions on the ARP responses issued from the local IP address on the network interface: Determine different levels of restrictions and announce the interface that issues Arp requests from the local source IP address
0 - (Default) Any local address on any network interface (eth0, eth1, lo)
1 - Try to avoid making arp responses for local addresses that are not in the subnet of the network interface. When It is useful when the source IP address that initiates an ARP request is set to be routed to this network interface. At this time, it will be checked whether the incoming IP is one of the IPs in the subnet segment on all interfaces. If the incoming IP does not belong to each network, Within the subnet segment on the interface, Level 2 will be used for processing.
2 - Use the most appropriate local address for the query target. In this mode, the source address of this IP packet will be ignored and attempts to select a local address that can communicate with that address. The first step is to select all network interfaces in the subnet that contain the target IP address. If no suitable address is found, the current one will be selected. The sending network interface or other network interfaces that may receive the ARP response are sent.
A little additional information about the understanding of arp_announce
In fact, it is a problem with the router , because routers generally learn ARP packets dynamically (generally dynamically configured DHCP), when the machine on the internal network wants to send an IP packet to the outside, then it will request the Mac address of the router and send an arp request. This arp request It includes its own IP address and Mac address, and Linux uses the source IP address of the IP as the source IP address in the arp by default, instead of using the one on the sending device. In this way, under an architecture like lvs, all sent packets are If the same VIP address is used, the arp request will include the VIP address and the device Mac. When the router receives this arp request, it will update its own arp cache. This will cause the IP to be spoofed and the VIP will be robbed, so there will be problems.
Why is the arp cache updated? When will it be updated? In order to reduce the number of arp requests, when the host receives an arp request asking about itself, it will put the source IP and source Mac into its own arp table. inside to facilitate subsequent communications. If you receive a packet that does not ask you (arp is broadcast and everyone receives it), it will be discarded. This will not cause too much useless data in the arp table and cause useful records to be deleted.
Set arp_ignore to 1 when setting parameters, which means that when someone else's arp request comes, if the receiving device does not have this IP, it will not respond. The default is 0, as long as this device If any device on the machine has this IP, it will respond to the arp request and send the mac address
1)vip (virtual ip). The VIP in direct routing mode must be in the same network segment as the IP address of the server providing external services, and the lvs load balancer and all other servers that provide the same functions use this VIP;
2)VIP is bound On the loopback interface lo0:0, its broadcast address is itself and its subnet mask is 255.255.255.255. This is very different from standard network address settings. The purpose of using this variable-length mask method to divide the network segment into only one host address is to avoid IP address conflicts;
3) The function of the echo section is to suppress arp broadcast. If arp suppression is not performed, there will be many machines announcing to others: "Hi! I am Obama, I am here!", which will cause chaos.
